Compliance to GDPR is a bottom up management. The first thing is about your awareness and readiness in all level of staff who will process the personal data your organization processes. Follow the principles raised by GDPR that constitutes the core requirements of GDPR, while establishes relevant procedures of processing to meet the requirements of all clauses in processing data. Understand your data processing activities by inventory all the data and the processes, and find out all the data collected directly or indirectly are relevant to your specific purposes of processing and compliant to the legal basis of GDPR. Do all required activities, including to provide information to data subjects about your legal basis and how will you keep, use or transfer their data, to provide the channel or interface that data subjects can exercise their subject rights and to comply with all the requirements about using a data processor or transmission data to 3rd countries. If you keep the data in your organization, appropriate safeguards and protection by default should be met. In order to keep the compliance to GDPR, a DPO and privacy protection organization are recommended to be in place, Risk assessments, and compliance checking will help to find out necessary steps to meet all the requirements of GDPR.